Professional Documents
Culture Documents
(Almost) Everything About Passwords That OWASP OWASPGbg 20140218 Per Thorsheim
(Almost) Everything About Passwords That OWASP OWASPGbg 20140218 Per Thorsheim
Per Thorsheim
OWASP Cheat Sheets
(As a CISO)
Account creation
form @ikea
--------
Please enter
preferred username
+ password.
Online bank in Kuwait
Usability in a nutshell
Passwords are *everywhere*
17yr teens – pick your PIN
Girls Boys
1996 1337
1996
Digit distribution for PINs
4-digit memorable 4-digit non-memorable 7-digit memorable
Thank you to Andrey Bogdanov, Sondre Rønjom & Jan Fredrik Leversund for great help!
Heatmapping PINs
Rockyou iPhone Physical access
Control system
Radical.org/pinmap
By @kluzz
A birthday present every eleven wallets? The security of customer-chosen banking PINs
http://www.cl.cam.ac.uk/~jcb82/doc/BPA12-FC-banking_pin_security.pdf
http://www.cl.cam.ac.uk/~jcb82/doc/BPA12-FC-banking_pin_security-slides_ss.pdf
Daniel Amitay:
http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes
Look, and you shall see… PINs.
Guess What?
YOU ARE
PREDICTABLE!
What’s the value of a password?
Consequences?
http://arstechnica.com/security/2013/04/hacked-ap-twitter-feed-rocks-market-after-sending-false-news-flash/
Tuesday, June 5, 2012, on Twitter:
Lessons from Linkedin
Mobile Usability #1
Keys to small.
FINGERS
TOO BIG!
PIN on Phone =
Oh Please GOD, equals PIN on
NO CAPTCHAS Introduction to Dropbox!
ON PHONES! app should (Why no other
include security options for the
EVER! features? paranoid?)
Foursquare – Verify mail account
Lastpass – iOS & Android
Unknown address,
or wrong format?
Default do not Display password
Can we verify mail show password? option = GOOD!
addresses? Do not remember (Default on?)
password?
Tip For Mobile Usability:
=
Johansen
56426736
Password Meters
Google
account
creation
Give
sound
advice
--
Recommend
2FA
«Secret» Mail + Phone #
Facebook
2FA in use!
Starttls.info
RFC 2487 -> RFC 3207
Sex
Glasses (Y/N)
Hair color
Facial hair
… and the results?
Women prefer length.
Trondheim (Norge)
Dec 7-8
passwordscon.org
Applied Risk Analysis
A final note + video